#
# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
# payload crafting functionality.
#
# Copyright (c) 2007-2013 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# This file is part of Ronin Exploits.
#
# Ronin is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ronin is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ronin.  If not, see <http://www.gnu.org/licenses/>
#

require 'ronin/exploits/exceptions/payload_size'
require 'ronin/payloads/shellcode'

module Ronin
  module Exploits
    module Helpers
      #
      # Adds methods to exploits for building buffers used in
      # buffer overflows.
      #
      # ## Target Parameters
      #
      # The buffer overflow helper uses the following target parameters:
      #
      # * `ip` (**required**) - The Instruction Pointer (IP) to overwrite
      #   on the stack.
      # * `bp` - The Base Pointer (BP) to overwrite on the stack.
      # * `buffer_length` - The length of the buffer to overflow.
      # * `stack_frame_repeat` - The number of times to repeat the
      #   overwritten stack frame.
      #
      # ## Payloads
      #
      # Uses the {Payloads::Shellcode} payload by default.
      #
      module BufferOverflow
        # The buffer to use for the buffer overflow.
        attr_accessor :buffer

        def self.extended(obj)
          obj.instance_eval do
            helper :binary
            helper :padding
          end
        end

        #
        # Specifies that the exploit should use the {Payloads::Shellcode}
        # class when searching for compatible payloads.
        #
        # @return [Class]
        #   Returns the {Payloads::Shellcode} class.
        #
        # @since 0.3.0
        #
        def payload_class
          Payloads::Shellcode
        end

        #
        # Tests the selected target has the `ip` target parameter.
        #
        # @return [true]
        #   The target is valid.
        #
        # @raise [TargetDataMissing]
        #   The target did not contain the `ip` target parameter.
        #
        # @since 1.0.0
        #
        def test_target!
          super

          unless target.param?(:ip)
            raise(TargetDataMissing,"no such target param 'ip'")
          end
        end

        protected
       
        #
        # Builds the buffer with the current target and payload to be
        # used in the buffer overflow exploit.
        #
        # @return [String]
        #   The built buffer.
        #
        # @raise [PayloadSize]
        #   The encoded payload is too large to fit within the targeted
        #   buffer length.
        #
        def build_buffer
          test_target!

          buffer = ''

          if target[:buffer_length]
            if raw_payload.length > target[:buffer_length]
              raise(PayloadSize,"the specified payload is too large for the target's buffer length")
            end

            buffer << pad(target[:buffer_length] - raw_payload.length)
          else
            buffer << raw_payload
          end

          ip_packed = pack(target.ip)

          stack_frame_repeat = (target[:stack_frame_repeat] || 1)

          if target[:bp]
            buffer << ((pack(target[:bp]) + ip_packed) * stack_frame_repeat)
          else
            buffer << ((ip_packed * 2) * stack_frame_repeat)
          end

          return buffer
        end
      end
    end
  end
end
